通过编程方式将HSM客户端生成的密钥与RFS服务器同步 [英] Programmatically synchronizing keys generated by HSM clients with the RFS server

问题描述

我正在使用PKCS11Interop在HSM内部执行密钥管理操作。我使用的HSM是网络HSM，Thales N-Shield。以下是我的设置的详细信息：

I am using PKCS11Interop to perform Key Management operations inside an HSM. The HSM I am using is a network HSM, Thales N-Shield. Here are the details of my setup:

1- HSM

1- RFS服务器

3-客户端

我的软件应用程序已分发并托管在3个客户端上。密钥将在其中一个客户端中生成，并且可以由其他客户端中存在的应用程序组件使用。

My software application is distributed and is hosted over the 3 clients. The key will be generated in one of the clients and could be used by the application components present in other clients.

但是，我注意到一个客户端中生成了一个密钥除非两个客户端都执行rfs-sync，否则其他客户端计算机无法访问该计算机。

However, I have noticed that a key generated in one client machine is not accessible to other client machines until unless both clients do an rfs-sync.

问题：是否可以使用某些PKCS11Interop API将客户端密钥与RFS同步？如果否，那么我可以通过什么方式在RFS和客户端计算机之间同步密钥。

Question: Is there a way to synchronize the client keys with the RFS using some PKCS11Interop API? If No, then in what way I can synchronize the keys between RFS and the Client machine.

我知道一个exe可以使用C＃代码执行，但看起来并不干净。

I know that an exe can be execute using C# code but doesn't look like a clean apporach.

推荐答案

您要尝试执行的操作不属于PKCS＃11标准。因此，我怀疑PKCS11Interop是否能够实现这一目标（请查看其文档此处）。

What you are trying to do is not part of the PKCS#11 standard. So I doubt that PKCS11Interop will be able to achieve this (from looking at its documentation here).

当您使用PKCS＃11（PKCS11Interop）在令牌（Thales n-Shield）上生成对象时，安装在客户端上的Thale安全管理器实际上是在HSM。如果我没记错的话，Thales将这些对象作为平面文件存储在客户端计算机上，这些文件通过安全管理器的主密钥加密。因此，从技术上讲，它不存储在HSM中。这就是您必须与RFS进行同步，然后更新其他客户端以查看新的键/对象的原因。

When you generate an object on the token (Thales n-Shield) using PKCS#11 (PKCS11Interop), the Thale's security manager that's installed on the client is actually doing the generation on the HSM. If I remember correctly, the Thales stores these objects on the client machine as flat files encrypted by the security manager's master key. So technically it is not stored on the HSM. This is the reason you have to do a sync with the RFS, and then update your other clients to see the new keys/objects.

您必须与泰雷兹人看他们是否可以提供一种自动化的方法。或者，您必须实现自己的同步机制。由于rfs-sync是Thales提供的命令行工具，因此您将查看是否可以通过C＃执行命令。或与他们确认是否有C＃库为您完成此任务。

You will have to check with the Thales people to see if they can provide a way to automate this. Or you have to implement your own synching mechanism. Since the rfs-sync is a command line tool Thales provides, you will to see if you can execute the commands through C#. Or check with them if they have a C# library that does this for you.

这篇关于通过编程方式将HSM客户端生成的密钥与RFS服务器同步的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！